Blue Coat Security Gateway 800

Last month CacheFlow changed its name to Blue Coat Systems, reflecting a new focus on policing the Web. The company's new beat cop is its Security Gateway 800, which combines proxy caching with fine-grained control over Web, Secure Sockets Layer and streaming media traffic. The SG800 handles security tasks that firewalls can't, such as blocking executable objects, viruses and other undesirable content on a per-object basis.

The new product also enhances CacheFlow's respectable caching performance. In our tests, the device moved traffic at rates of 1,200 transaction/sec, with no performance hit when advanced features are enabled. This performance and its ease of use made it worthy of our World Class Award.

Housed in a 1U (1.75-inch) rack-mountable enclosure, the SG800 we tested features 2G bytes of RAM, four redundant 68G-byte SCSI drives, two 10/100M bit/sec Ethernet interfaces and a copper gigabit Ethernet interface.

Setting up the SG800 is simply a matter of entering four parameters on a front-panel LED. Everything afterward can be done via CacheFlow's well-known intuitive Web interface.

The SG800 retains the same caching features as previous versions of the vendor's custom CacheOS operating system. Chief among these is "prefetching" of objects. If users often visit a site where pages contain a large number of images or other embedded objects, the cache will "prefetch" all objects so they can be served from the cache.

The user interface now includes a Visual Policy Manager (VPM), a Java-based applet with a look and feel that will be familiar to users of Check Point Software or NetScreen Technologies firewalls.

Where VPM differs from most firewalls is in its much finer grained control over access to Web, SSL and streaming media content. The SG800 lets users screen content based on HTML content type, executable content type, user's browser type, time of day and hundreds of other parameters. It's possible to block clients using Microsoft Internet Explorer 5.0 from requesting a group of URLs containing ActiveX objects during business hours.

VPM is equally strong when it comes to access policies. Users or groups can be allowed or denied access based on individual IP addresses, subnets, NT LAN Manager, Remote Authentication Dial-In User Service or Lightweight Directory Access Protocol authentication.

---

How we did it
Interactive Scorecard and NetResults
Archive of Network World reviews
Subscribe to the Product Review newsletter

---

The SG800 can scan for viruses and objectionable content through use of third-party plug-ins. With these plug-ins, the SG800 will set up rules to deny content that contains known viruses or content such as violence, nudity, hate speech or other user-defined policies.

Security concerns

As powerful as these security features can be, we are concerned with the product's remote management. While the SG800 supports encrypted access via SSL or Secure Shell (SSH), neither of these services is enabled by default. Instead, the default access is via a Web browser or telnet. As a result, an unauthorized user could intercept passwords or management commands.

Similarly, the SG800 can upload its logs to another server, but the transfer method is FTP, yet another unsecure protocol.

Unsecure default configurations are problematic in any device, let alone one called a "security gateway." Users are well advised to enable SSH and SSL before putting the SG800 into production networks.

Speed demon

We ran several benchmarks to evaluate the SG800's performance (see How we did it). We measured basic transaction rate and transaction rates with logging and rule sets enabled.

To get a sense of how the SG800 would handle a meaningful production load, we used Web Polygraph, the open source tool that has become a de facto standard for measuring cache performance.

Polygraph's Polymix-4 traffic load uses a blend of content types, object size distributions, object popularity, object freshness and cacheability. Polygraph also models delays and packet loss typically added by WAN links.

The SG800 handled a peak load of 1,202 transaction/sec in our tests, and it's possible that the device could go even faster. The 1,202-transaction/sec rate represents a horsepower limit of our test bed, and not necessarily a limit of the SG800.

We conducted our initial tests with access logging disabled. Because access logging is commonly used in production settings, we ran the test once again with logging enabled.

The good news is that transaction rates were just about the same: Even with logging turned on, the SG800 moved 1,191 transaction/sec.

We ran the same test with 10 access policies defined — five "allow" rules and five "denies" — the SG800 moved around 1,174 transaction/sec.

One cost to adding logging and access rules was that the number of errors increased.

In our baseline test, there were virtually no errors. With logging enabled, there were errors on about 3.5% of transactions, and there were errors on about 7% of transactions with logging and access rules enabled.

Most errors involved transaction timeouts, but in all cases overall response times remained fairly even.

The SG800 offers a unique combination with its fine-grained access control and its caching features that help network professionals save bandwidth and speed response times.

How we did it

To measure cache performance, we used Web Polygraph, an open source HTTP generation and analysis tool. Besides the Blue Coat Security Gateway, our test bed included three pairs of Dell Optiplex GX100 machines with 256M bytes of RAM running FreeBSD 4.3 and Web Polygraph and an Extreme Networks Summit 7i switch that tied all the systems together.

We used the Polymix-4 workload and Release 2.7.6 of the Polygraph software. We used the default parameters of 10 phases, including two peak load phases during which we took our measurements. We also enabled FreeBSD's Dummynet feature, which simulates client-side WAN latencies of 40 msecs per packet and a 0.05% probability of packet loss on the server side. We did not add latency or packet loss for the clients.

RELATED LINKS